Network content policy providing related search result

ABSTRACT

Methods, computer systems, and computers for responding to requests for content that is subject to network policy can provide a landing page that displays a search result related to the requested content. The landing page can be specific to one or more of the content being requested and the identity of a user making the request.

TECHNICAL FIELD

This disclosure relates to computers and, more specifically, to networkpolicy services.

BACKGROUND ART

Network policies can be used to prevent undesirable material from beingretrieved by a computer. Such material can include malicious code thatdetrimentally modifies the behaviour of the retrieving computer oradult-oriented material that is unsuitable for viewing by a child thathas access to the computer.

Enforcing network policy is known to be done using domain name service(DNS) redirection, in which a request for a web site is redirected to ahost that filters or blocks the material at the web site. Onedisadvantage of this approach is that all requests to a specificInternet protocol (IP) address or domain are affected, when only one ora few pages hosted at the IP address may be the target of the policy.Thus, DNS redirection is too coarse, particularly when applied IPaddresses that host a large amount of varied material.

Informing the user of the computer that their request was subjected topolicy is known. However, current methods of doing so do not provideusers with sufficient and intuitive options as to how to proceed after arequest for material has been blocked.

SUMMARY OF INVENTION

Methods, computer systems, and computers for responding to requests forcontent that is subject to network policy are disclosed.

Responding to a content request can include providing a landing pagethat displays a search result related to the requested content. Thelanding page can be specific to one or more of the content beingrequested and the identity of a user making the request.

BRIEF DESCRIPTION OF DRAWINGS

The drawings illustrate, by way of example only, embodiments of thepresent disclosure.

FIG. 1 is a network diagram of a computer system.

FIG. 2 is a block diagram of a server.

FIG. 3 is a block diagram of a client computer.

FIG. 4 is a flowchart of a method of providing a landing page.

FIGS. 5-7 are table of policy databases.

FIG. 8 is a diagram of a landing page.

FIG. 9 is a diagram of another landing page.

DESCRIPTION OF EMBODIMENTS

The techniques described herein can allow for more granular policyenforcement than what is achievable using DNS redirect. Thisadvantageously allows policy to be enforced on the basis of web pages.Moreover, policies can be also based on user identity and can beprovided in a way that provides an intuitive path forward for users.

FIG. 1 is a diagram illustrating a computer system 10, in accordancewith an embodiment of this disclosure.

The computer system 10 can include multiple client computers 12, 14, 16,a network 18, a gateway server 20, an interceptor server 22, a policyserver 24, a message server 26, and a log server 28.

The network 18 connects the client computers 12, 14, 16 to the gatewayserver 20. Such a network 18 may include network devices such as hubs,routers, network cables, wireless access points, fiber-optic lines, andthe like, as generally indicated at 30. In one example, the network 18may be a private intranet under the control and administration of anorganization such as a corporation or institution, with the clientcomputers 12, 14, 16 being workstations exclusively used by individualsbelonging to such organization. In another example, the network 18 maybe accessible to client computers under the control and administrationof different organizations, and as such the network 18 may be a publicor semi-public network. That is, the gateway server 20 may be accessibleto the client computers 12, 14, 16 using login credentials over a publicnetwork, such as the Internet. Irrespective of the specific structure ofthe network 18, the network 18 provides for data communication betweenthe client computers 12, 14, 16 and the gateway server 20.

The gateway server 20 connects the network 18, and thus the clientcomputers 12, 14, 16, to a content network, generally indicated at 32.The content network 32 includes a plurality of routers and other networkdevices, generally represented at 34, that provides for datacommunication between the gateway server 20 and sources of content,generally shown at 36. The gateway server 20 may further includeadditional network devices such as hubs, routers, network cables,wireless access points, fiber-optic lines, and the like, but these areomitted from the figure for clarity and will not be discussed in detail.The network 32 can be the Internet.

Sources of content 36 accessible to the client computers 12, 14, 16 viathe gateway server 20 include web servers, file transfer protocol (FTP)servers, streaming media servers, and the like. As such the contentavailable includes web pages, files, streaming video and audio, andsimilar content.

The interceptor server 22, policy server 24, message server 26, and logserver 28 may form a policy service network 38, which may includenetwork devices such as hubs, routers, network cables, wireless accesspoints, fiber-optic lines, and the like, which are omitted from thefigure for clarity. In some embodiments, the gateway server 20 formspart of the policy service network 38. In some embodiments, policyservice network 38 may serve any of multiple different content-consumernetworks 18 and multiple different content-source networks 32.

In some embodiments, any two or more of the networks 18, 32, 38 may bepart of the same larger network, such as the Internet. In someembodiments, the networks 18 and 38 are part of a large organisation'swide-area network.

The gateway server 20 is configured to receive content requests 40 fromthe client computers 12, 14, 16 to access web sites or other resources36 accessible via the content network 32. The gateway server 20 isfurther configured to either explicitly redirect content requests 40 tothe interceptor server 22 in the form of access requests 42 or totransparently copy the content requests 40 to the interceptor server 22in the form of outbound access requests 42. Any given content request 40can include a network location of the requested content, such as auniform resource locator (URL), that has had an associated link clicked,has been typed in, or has otherwise been selected via a web browser, orother user agent, at the requesting client 12, 14, 16. Content requests40 can alternatively include information submitted by the clientcomputers 12, 14, 16 using a request method, such as the (hypertexttransfer protocol) HTTP POST method, the HTTP GET method, or similar.Such information can include search keywords/phrases provided that areto be provided to a search engine to carry out a search.

The interceptor server 22 is configured to authenticate the requestingclient computer 12, 14, 16 based on access credentials associated withthe requesting client computer 12, 14, 16. The access credentials may bean IP address of the requesting computer 12, 14, 16, a username and apassword combination entered by a user of the requesting computer 12,14, 16, or similar. The access credentials can form the basis of anidentity of the user of the requesting computer 12, 14, 16.

The interceptor server 22 is further configured to verify the accesscredentials by matching them with pre-stored verification information,such as IP addresses, encrypted or hashed version of passwords, orsimilar. The interceptor server 22 may maintain a database of suchverification information in association with identifying information ofusers of the client computers 12, 14, 16, including any oforganizational information, such organizational role and job title;demographic information, such sex, location, ethnicity, and age; andpersonal information, such as name, date of birth, employee number,student identification number, and the like. The interceptor server 22can thus use the access credentials originating from the requestingcomputer 12, 14, 16 to determine the identity of the user of therequesting computer 12, 14, 16. In some embodiments, the accesscredentials themselves may be taken as the identity.

The identity may be reasonably unique to the user, such as name oridentification number, or may be a broader group-based characteristic,such as the user's age group or sex. The identity may include acombination of several characteristics, such as age and organizationalrole (e.g., minor student, student at age of majority, and teacher).

If the requesting computer 12, 14, 16 is authenticated, the interceptorserver 22 is further configured to send a policy request 44 thatincludes the determined user identity along with the content request 40to the policy server 24. Identities, and particularly group-basedidentities, are discussed in WO2011/004258, which is incorporated hereinby reference.

The policy server 24 is configured to determine whether a restrictivepolicy applies to the requested content. Restrictive policy may be basedon the identity of the user and the requested content or may be based onthe requested content without regard to the identity of the user (e.g.,all users are subject to the same policy). In one embodiment, the policyserver 24 stores a policy database that associates URLs and identitiesto policies (see FIG. 6). In another embodiment, the policy databaseassociates search keywords/phrases to policies (see FIG. 7). This allowsfine-grained application of policy to content located at different URLsor content associated with certain search keywords/phases.

The requested URL or keywords/phrases and identity, if used, receivedfrom the interception server 22 is then used in a database query toobtain any resulting policy. When no restrictive policy applies, thepolicy server 24 can be configured to indicate such to the interceptionsever 22, which is configured to indicate to the gateway server 20 thatthe content request 40 is not subject to restrictive policy and can behandled normally, as requests for and responses of content, indicated at47.

Polices can be based on individual users or can group-based, such asdescribed in WO2011/004258. The policy server 24 is configured to send apolicy output 46, which identifies the requested URL or searchkeyword/phrase, to the message server 26.

The message server 26 is configured to construct a policy message 48 inresponse to the policy output 46. The policy message 48 includes atleast a search query that is based on the policy output 46 and,specifically, based on the URL or search keyword/phrase in the policyoutput 46, which originated from the client computer 12, 14, 16 with therequest 40.

The message server 26 can construct the search query in various ways. Inone embodiment, search query includes a URL of a search engine, withsuch URL including search parameters based on the originally requestedURL or search keywords/phrase in the content request 40. For example, ifthe user of the requesting computer 12, 14, 16 clicks or inputs ahyperlink that causes the content request 40 to specify

http://www.badsite.com

then the message server 26 constructs a search query of

http://www.searchengine.com/search%3Fq=www.badsite.com

so as to indicate a search results page that would have been obtainedhad the user of the client computer 16 instead clicked or inputted asearch string “www.badsite.com” into the search engine hosted at“www.searchengine.com”. (The string“%3F” is a URL code for the symbol“?” which denotes an initial key-value parameter.)

In another example, if the user of the requesting computer 12, 14, 16enters the text

bad web sites

into a form of the search engine located at “www.badsearchengine.com”and presses submit, or otherwise initiates a search, the message server26 constructs a search query of

http://www.searchengine.com/search%3Fq=bad+web+sites

so as to indicate a search results page that would have been obtainedhad the user of the client computer 16 instead used a different searchengine to conduct this search. This can advantageously allow a user tobe steered away from a search engine that perhaps provides high rankinghits to web sites that violate policy and towards a search engine thatprovides high ranking hits to web sites that conform to policy.

The message server 26 includes the search query in the policy message48, which is then sent to the policy server 24.

The policy server 24 is configured to receive the policy message 48 and,in response, obtain a location 50 of a dynamically generated landingpage (see FIGS. 8 and 9). Obtaining the location 50 of the landing pagecan include constructing a URL for the landing page, which may be hostedat the policy server 24, the message server 26, another of the servers22, 28, or a different server. The landing page 50 contains ahuman-readable message indicative of the applied policy as well as adisplay element, such as an iframe, for the search result. The searchquery can be included in the landing page location 50 as, for example, aparameter in the URL of the landing page. The search query can beprovided to the landing page in other ways, depending on the techniqueused to dynamically generate the landing page.

For example, if the applied policy pertains to malicious code or malwareand the search query is as above, namely

http://www.searchengine.com/search%3F=www.badsite.com

then the landing page location 50 may be expressed as

http://malwarelandingpage.netsweeper.com?show=www.searchengine.com/search%3Fq=www.badsite.com

in which the search query is passed as a value of the parameter key“show” so that a script may provide the iframe, or other displayelement, of the dynamically generated landing page with the searchquery, so that the iframe in the landing page can display the searchresult.

The policy server 24 is configured to forward the landing page location50 to the gateway server 20, which is configured to provide the landingpage location 50 in response to the content request 40. This may beachieved by the policy server 24 sending an HTTP 302 response to gatewayserver 20 with the landing page location 50 contained in the header ofthe HTTP 302 response.

When the requesting computer 12, 14, 16 receives the landing pagelocation 50 in response to the content request 40, the requestingcomputer 12, 14, 16 displays the landing page in its web browser orother user agent. As a result, when the content request 40 is governedby restrictive policy, the user of the client computer 12, 14, 16 thatmade the content request 40 is shown a landing page 50 that contains asearch result related to the content request 40.

Links in the search results may be clicked, or otherwise selected by theuser, to initiate subsequent content requests 40, which are handled asdescribed above. Accordingly, the gateway server 20 allows such acontent request 40 and provides content in return, as indicated at 47,when such content request 40 is not restricted by policy. Conversely, asubsequent landing page will be provided if a link in the landing pageresults in a content request 40 that is subject to restrictive policy.

The policy server 24 may further be configured to send logginginformation 52 regarding any one or more of policy requests 44, policyoutputs 46, policy messages 48, and landing page locations 50 to the logserver 28, which is configured to store log entries for futurereference. The logging information 52 may include the contents of thepolicy requests 44, policy outputs 46, policy messages 48, or landingpage locations 50.

In other embodiments, more or fewer servers than the servers 20-28 areused. Functionality described herein with respect to several servers canbe performed by fewer servers or even a single server, with anyassociated communications between physical servers described hereinbeing configured instead as communications between processes or beingsubsumed.

FIG. 2 shows an example computer that can be used as any of the gatewayserver 20, interceptor server 22, policy server 24, message server 26,and log server 28. The server can include a processor 60, memory 62, anetwork interface 64, and can further include a display 66 and otheruser interface components 68. The processor 60, memory 62, networkinterface 64, and display 66 and other user interface 68 areelectrically interconnected and can be physically contained within ahousing or frame. The server may be computer such as a rack-mountserver, blade server, tower server, or another kind of computer, or aprocess or program running on such a computer.

The processor 60 is configured to execute instructions, which mayoriginate from the memory 62 or the network interface 64. The processor60 may be known a central processing unit (CPU). The processor 60 caninclude one or more sub-processors or processing cores.

The memory 62 includes a non-transitory computer-readable medium that isconfigured to store programs and data. The memory 62 can include one ormore short-term or long-term storage devices, such as a solid-statememory chip (e.g., DRAM, ROM, non-volatile flash memory), a hard drive,an optical storage disc, and similar. The memory 62 can include fixedcomponents that are not physically removable from the server (e.g.,fixed hard drives) as well as removable components (e.g., removablememory cards). The memory 62 allows for random access, in that programsand data may be both read and written.

The network interface 64 is configured to allow the server tocommunicate with other computers across a network. The network interface64 can include one or more of a wired and wireless network adaptor andwell as a software or firmware driver for controlling such adaptor.

The display 66 and other user interface components 68, if provided, caninclude a display device, such as a monitor, a bank of light-emittingdiodes (LEDs), or similar for monitoring operations of the server. Theuser interface 68 can include an input device, such as a keyboard,mouse, touch-sensitive element of a touch-screen display, or similardevice. The user interface 68 can be remote to the server and providedvia the network interface 64 to a client computer operated by a remoteadministrator.

Although the servers 20-28 may have similar components, as describedabove, each server 20-28 may be configured in a manner selected for itspurpose as described elsewhere herein. For example, the policy server 24may be configured for high storage capacity (e.g., much memory 62),while the interceptor server 20 may be configured for high processingspeed (e.g., multiple advanced processors 60).

One or more programs 70 can be provided to each of the servers 20-28 tocarry out the processes described herein. Such programs 70 may referencedata 72 in the form of databases, files, or other data structures.

FIG. 3 shows an example computer that can be used as any of the clientcomputers 12, 14, 16. The computer includes a processor 80, memory 82, anetwork interface 84, and a display 86 and other user interfacecomponents 88. The processor 80, memory 82, network interface 84, anddisplay 86 and user interface 88 are electrically interconnected and canbe physically contained within a housing or frame. The client computers12, 14, 16 may each be a computer such as a desktop computer, notebookcomputer, tablet computer, smart phone, netbook, video game orentertainment console, and the like.

The processor 80 is configured to execute instructions, which mayoriginate from the memory 82 or the network interface 84. The processor80 may be known a CPU. The processor 80 can include one or moresub-processors or processing cores.

The memory 82 includes a non-transitory computer-readable medium that isconfigured to store programs and data. The memory 82 can include one ormore short-term or long-term storage devices, such as a solid-statememory chip (e.g., DRAM, ROM, non-volatile flash memory), a hard drive,an optical storage disc, and similar. The memory 82 can include fixedcomponents that are not physically removable from the client computer(e.g., fixed hard drives) as well as removable components (e.g.,removable memory cards). The memory 82 allows for random access, in thatprograms and data may be both read and written.

The network interface 84 is configured to allow the client computer 14,16 to communicate with other computers across a network. The networkinterface 84 can include one or more of a wired and wireless networkadaptor and well as a software or firmware driver for controlling suchadaptor.

The display 86 and other user interface components 88 can include adisplay device, such as a monitor and an input device, such as akeyboard, keypad, mouse, touch-sensitive element of a touch-screendisplay, or similar device. Although the term “click” is used hereinwith respect to links (hyperlinks), this term should be taken to meanany user interface action that follows a hyperlink.

Each of the client computers 12, 14, 16 is configured to run a webbrowser 74 or other user agent suitable for the type of content beingaccessed. The web browser 74 may reference locally stored data 76, suchas cookies, saved login credentials, and similar.

Referring to FIG. 4, a method 100 for displaying search resultsassociated with policy-restricted content is shown. Although, the method100 is discussed in the context of the computer system 10 of FIG. 1 forexplanatory purposes, other computer systems may be used.

At 102, a content request for network access to content accessible via anetwork is received from a requesting computer, such as one of theclient computers 12, 14, 16 (FIG. 1). The content request can include anetwork location of the content (e.g., a URL specifying a web page, anFTP location, or similar) or other indication of the desired content,such as keywords/phrase entered into a search engine.

The content request may further include an identity associated with therequesting computer 12, 14, 16. The identity may be based on the networkaddress (e.g., IP address) of the requesting computer 12, 14, 16, sothat anyone using the requesting computer is subject to the same policy.The identity may be based on the login credential of a user of therequesting computer 12, 14, 16, so that specific users can have specificpolicies. The network address or login credential may be used to look upidentifying information (e.g., age, role, job title, etc.) about theuser of the requesting computer 12, 14, 16, and this may be or form partof the user identity.

Then, at 104, it is determined whether the content request is subject toa restrictive policy. A policy database may be queried. FIG. 5 shows anexample of a policy database 120 that stores associations between URLs122, content categories 124, and policies 144. Policies for URLs shownas “allow” and “deny” respectively allow access to the desired contentand deny access to the desired content. An example of a restrictivepolicy includes a policy that provides a warning or attempts to steerusers away from specific content. In the example depicted, “warn” isused to indicate that a web site is subject to restrictive policy.Restrictive policy may be applied in, for example, cases where web sitesare known to host potentially malicious code, such as viruses, malware,or Trojans, that may detrimentally affect performance of the computer12, 14, 16 and a network over which it communicates.

Another restrictive policy may additionally specify an identity 132 ofthe user making the content request, as shown by policy database 130 ofFIG. 6. For example, users of different groups, e.g., “student”,“teacher”, and “admin”, can be subject to different policy for the samesite. One group is outright denied access to the site (and served a denypage, if appropriate), another group is subject to a restrictive policy,and yet another group is allowed to view the site without hindrance.

Yet another restrictive policy may specify keywords/phrases 142 insteadof URLs, as shown by policy database 140 of FIG. 7. A keyword or phrasemay be submitted by the user conducting a search at a search engine, andit may be advantageous to assert policy on keywords/phrases when theresulting search results contain a high number of web sites that arealso subject to restrictive policy.

Features and aspects of each policy database 120, 130, and 140 may becombined with each other and further combined with other policy featuresand aspects described elsewhere herein.

When the content requested is not subject to a restrictive policy (andalso not outright denied or blocked), then the request content isprovided, at 106, to the requesting computer 12, 14, 16.

On the other hand, when the content requested is subject to arestrictive policy (e.g., “warn”), then, at 108, a search query isconstructed based on the content request.

If the content request contains a URL that was entered into the addressbar of the web browser 74 or a URL from a link that was followed by thecomputer 12, 14, 16, then the search query can be a string thatidentifies a the location of a search engine and the URL, or a modifiedversion thereof, that is to be passed to the search engine to executethe search. Examples of such are given elsewhere in this disclosure.

It may be useful to modify the URL of the content the request in variousways for various reasons. First, a URL can be reduced to itssecond-level domain by, for example, stripping off the top-level domain,e.g., “.com”, and the subdomain, e.g., “www.”, so that the URL“www.badsite.com” would become “badsite”. This can advantageously catchother references to the web site “www.badsite.com” that the user is alsoto be guided away from, as well as alternate versions of the site hostedat other locations, such as “www.badsite.org”.

Second, if a URL contains parameters, which typically take the form ofkey-value pairs, e.g., “?catalogpage=5&item=38”, then any or all ofthese parameters can be stripped from the URL before it is included inthe search query. For example, the URL“www.badsite.com?catalogpage=5&item=38” would become “www.badsite.com”.This is advantageous in that commonly accessed landing pages can becached at a server, thereby saving processing and storage resources byavoiding repeatedly dynamically generating substantially the samelanding page for a multitude of different parameter values andcombinations.

It may also be beneficial to add parameters to the search query, suchparameters known to eliminate or reduce the occurrence of search resulthits for the URL, since this may further steer the user away from theundesirable site. For example, the search query can further include aparameter such as “-site:www.badsite.com” to eliminate or reduce linksto “www.badsite.com” in the search results.

If the content request contains a text string that was submitted using arequest method, such as HTTP POST or GET, then the search query can be astring that identifies the location of a search engine and includes thesubmitted text string. This can advantageously allow a search query madeto an initial search engine to be fed to a different search engine and,particularly, a search engine that returns fewer results that would besubject to policy (e.g., fewer web sites containing malicious code, inthis example).

Then, at 110, the original content request is responded to with anetwork location of a landing page configured to display a search resultof the search query constructed at 108. The search result can bedisplayed in association with a message indicative of the restrictivepolicy that caused the landing page to be displayed, as shown in FIGS. 8and 9.

The method 100 then begins anew by waiting for the user of the computer12, 14, 16 to subsequently request content, which may be the relatedcontent provided in the search result of the landing page. When asubsequent request is made at the landing page by the requestingcomputer 12, 14, 16, the subsequent request is compared to policy at104. If no respective (or deny) policy applies, then the subsequentrequest is responded to with the related content, at 106, the user isadvantageously taken to content that is similar to what was originallyrequested but which conforms to policy, and the method 100 ends.

FIG. 8 shows an example of a landing page 150, as displayed in the webbrowser 74 of a requesting computer 12, 14, 16. The landing page 150 maybe dynamically generated (e.g., by a script or other program, such asPHP, Ruby on Rails, Microsoft ASP, and the like) and provided to the webbrowser 74 as an HTML/CSS document.

The landing page 150 can include one or more policy message displayelements 152, 154 that visually indicate to the user of the requestingcomputer 12, 14, 16 that their original content request (e.g.,clicked/typed URL or searched keywords/phrases) was found to be subjectto a restrictive policy.

Moreover, when the landing page 150 is generated, a link to therequested content is excluded from the landing page 150. This can beadvantageous when users may need more guidance to avoid content subjectto restrictive policy, in that users are not provided with a convenientway to click-through the landing page 150 to arrive at the originallyrequested content.

The landing page 150 includes the search results 156, which can bepresented in an element, such as an iframe. This allows for the searchresults 156 to be displayed as if they were obtained from an originalsearch initiated by the user. Furthermore, a search input element (e.g.,a textbox) and submit element (e.g., submit button) may be provided, asindicated at 158, with the search input element being pre-populated withthe original search.

FIG. 9 shows an example of another landing page 160, as displayed in theweb browser 74 of a requesting computer 12, 14, 16. The landing page 160differs from the landing page 150, in that the landing page 160 does notinclude the search input and submit elements 158. Moreover, the landingpage 160 includes a continuation message element 162 that provides alink to the content originally requested along with an additionalcautionary message, so that the user may advantageously click past thelanding page after being cautioned.

The link presented in the continuation message element 162 to thecontent originally requested may lead to an intermediate page thatprovides a final link to the originally requested content juxtaposedwith a disclaimer that warns the user that the Internet service providercannot be held responsible should the user still continue to the contentoriginally requested.

In both example landing pages 150, 160, the search results 156 arepresented in an iframe and appear as if the user had originallyconducted the search. This is advantageous in that the search providerremains in control of the presentation and content of the search results156 and the publisher of the landing page 150, 160 need not maintain apresentation and content engine to generate custom search results forlanding pages.

In any of the embodiments above, a tracking parameter may be appended tothe search query. The tracking parameter carries through to the links ofthe search results shown in the landing page. If the user of thecomputer 12, 14, 16 that displays the landing page clicks such a link,the search provider can detect the tracking code to build a metric as tohow much traffic is generated by such landing pages and for whatsearches and categories of content. Such a metric can also be used tobill the search provider on a per-click basis in return for publishingthe landing pages.

An example tracking parameter is “pc=NETS” and an example of a searchquery that bears the tracking parameter and that can be constructedaccording to the principles described herein is

http://www.searchengine.com/search%3Fq=www.badsite.com %26pc=NETS

where “%26” is a URL code for the symbol “&” which denotes a subsequentkey-value parameter.

Although in the description above, the example of malicious code bearingweb sites was referenced, other categories of network content areapplicable as well, such as web sites that contain content that promotesor encourages drug use, illegal activities, cultural insensitivity, hatespeech, violence, suicide or self harm, or similar.

While the foregoing provides certain non-limiting example embodiments,it should be understood that combinations, subsets, and variations ofthe foregoing are contemplated. The monopoly sought is defined by theclaims.

1. A method comprising: receiving from a requesting computer a contentrequest for network access to content accessible via a network; whendetermining that the content request is subject to a restrictive policy,constructing a search query based on the content request; and respondingto the content request with a network location of a landing page, thelanding page configured to display a search result of the search queryin association with a message indicative of the restrictive policy. 2.The method of claim 1 further comprising: receiving from the requestingcomputer a subsequent request for network access to related contentaccessible via the search result; and responding to the subsequentrequest with the related content.
 3. The method of claim 1, wherein thecontent request comprises a network location of the content.
 4. Themethod of claim 1, wherein the content request comprises an identityassociated with the requesting computer.
 5. The method of claim 4,wherein the identity is based on a network address of the requestingcomputer.
 6. The method of claim 4, wherein the identity is based on alogin credential of a user of the requesting computer.
 7. The method ofclaim 1, further comprising including a link to the content on thelanding page.
 8. The method of claim 1, further comprising excluding alink to the content from the landing page.
 9. The method of claim 1,wherein the landing page comprises an iframe in which the search resultis displayable.
 10. The method of claim 1, further comprisingconfiguring the search result to appear as an original search result.11. The method of claim 1, wherein the policy is configured formalicious content.
 12. A non-transitory computer-readable mediumcomprising processor-executable instructions configured to perform themethod of claim
 1. 13. A computer system comprising: at least onecomputer configured to: receive a content request for network access tocontent accessible via a network; when determining that the contentrequest is subject to a restrictive policy, construct a search querybased on the content request; and respond to the content request with anetwork location of a landing page, the landing page configured todisplay a search result of the search query in association with amessage indicative of the restrictive policy.
 14. The computer system ofclaim 13, wherein the at least one computer comprises: a client computerhaving a web browser configured to make the content request; and atleast one server configured to receive the content request, constructthe search query, and respond to the content request.
 15. The computersystem of claim 14, wherein the content request comprises an identityassociated with the client computer.
 16. The computer system of claim15, wherein the identity is based on a network address of the clientcomputer.
 17. The computer system of claim 15, wherein the identity isbased on a login credential of a user of the client computer.
 18. Thecomputer system of claim 13, wherein the at least one computer isfurther configured to: receive a subsequent request for network accessto related content accessible via the search result; and respond to thesubsequent request with the related content.
 19. The computer system ofclaim 13, wherein the content request comprises a network location ofthe content.
 20. The computer system of claim 13, wherein the at leastone computer is further configured to include a link to the content onthe landing page.
 21. The computer system of claim 13, wherein the atleast one computer is further configured to exclude a link to thecontent from the landing page.
 22. The computer system of claim 13,wherein the landing page comprises an iframe in which the search resultis displayable.
 23. The computer system of claim 13, wherein the atleast one computer is further configured to configure the search resultto appear as an original search result.
 24. The computer system of claim13, wherein the policy is configured for malicious content.
 25. A methodcomprising: receiving from a requesting computer a content request fornetwork access to content accessible via a network; when determiningthat the content request is subject to a restrictive policy, obtaining auniform resource locator (URL) of a search engine; and redirecting thecontent request to a network location of a landing page, the landingpage configured to display a search input element and a submit elementof the search engine in association with a message indicative of therestrictive policy.
 26. The method of claim 25, wherein the contentrequest includes one or more search keywords/phrases inputted at therequesting computer.
 27. The method of claim 26, further comprisingpre-populating the search input element at the landing page with the oneor more search keywords/phrases.
 28. The method of claim 26, wherein theone or more search keywords/phrases are initially provided by therequesting computer to a different search engine, resulting in thedetermination that the content request is subject to the restrictivepolicy.
 29. The method of claim 25, further comprising constructing asearch query based on the content request and configuring the landingpage to display a search result of the search query as executed by thesearch engine.
 30. The method of claim 25, wherein the content requestcomprises an identity associated with the requesting computer.
 31. Themethod of claim 25, further comprising including a link to the contenton the landing page.
 32. The method of claim 25, further comprisingexcluding a link to the content from the landing page.
 33. Anon-transitory computer-readable medium comprising processor-executableinstructions configured to perform the method of claim
 25. 34. Acomputer system comprising: at least one computer configured to: receivefrom a requesting computer a content request for network access tocontent accessible via a network; obtain a uniform resource locator(URL) of a search engine when determining that the content request issubject to a restrictive policy; and redirect the content request to anetwork location of a landing page, the landing page configured todisplay a search input element and a submit element of the search enginein association with a message indicative of the restrictive policy. 35.The computer system of claim 34, wherein the content request includesone or more search keywords/phrases inputted at the requesting computer.36. The computer system of claim 35, further comprising pre-populatingthe search input element at the landing page with the one or more searchkeywords/phrases.
 37. The computer system of claim 35, wherein the oneor more search keywords/phrases are initially provided by the requestingcomputer to a different search engine, resulting in the determinationthat the content request is subject to the restrictive policy.
 38. Thecomputer system of claim 34, wherein the at least one computer isfurther configured to construct a search query based on the contentrequest and to configure the landing page to display a search result ofthe search query as executed by the search engine.
 39. The computersystem of claim 34, wherein the content request comprises an identityassociated with the requesting computer.
 40. The computer system ofclaim 34, wherein the at least one computer is further configured toinclude a link to the content on the landing page.
 41. The computersystem of claim 34, wherein the at least one computer is furtherconfigured to exclude a link to the content from the landing page.